Solved: Allowing guest network access to inside webserver using public IP

bhuffstutler · ‎11-21-2013

I have a ASA 5505 running 8.2(5). I have a guest network configured on it's own interface and using a public DNS server. I need to be able to access a web server that is on the inside interface using the web server's public IP.

The guest network uses 10.0.6.0/24 and the inside network uses 192.168.0.0/24. The public IP of the webserver is x.x.139.171 which is NATed to 192.168.0.171.

I have seen some things mention using hairpinning or DNS doctoring, but I am not sure that those methods apply to this situation since we are working with two interfaces.

Is this even possible to accomplish?

I can post the config file if necessary.

Jouni Forss · ‎11-22-2013

Hi,

To my understanding the first option might be adding the "dns" parameter to the existing Static NAT unless already present. The Static NAT configuration should ook something like this

static (inside,outside) x.x.139.171 192.168.0.171 netmask 255.255.255.255 dns

The "dns" parameter should do so that the ASA will rewrite the DNS reply from the public DNS server when a internal host queries for the IP address of the server. The ASA should therefore forward the DNS reply with the internal IP address and the connections should work.

Alternatively, you could configure the same Static NAT from "inside" to "guest" (presuming your interface names since I have not seen the configurations)

static (inside,guest) x.x.139.171 192.168.0.171 netmask 255.255.255.255

This would mean that the hosts behind "guest" could connect to the server 192.168.0.171 using the public IP address x.x.139.171

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎11-22-2013

Hi,

To my understanding the first option might be adding the "dns" parameter to the existing Static NAT unless already present. The Static NAT configuration should ook something like this

static (inside,outside) x.x.139.171 192.168.0.171 netmask 255.255.255.255 dns

The "dns" parameter should do so that the ASA will rewrite the DNS reply from the public DNS server when a internal host queries for the IP address of the server. The ASA should therefore forward the DNS reply with the internal IP address and the connections should work.

Alternatively, you could configure the same Static NAT from "inside" to "guest" (presuming your interface names since I have not seen the configurations)

static (inside,guest) x.x.139.171 192.168.0.171 netmask 255.255.255.255

This would mean that the hosts behind "guest" could connect to the server 192.168.0.171 using the public IP address x.x.139.171

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

jumora · ‎11-23-2013

Remember that when you are coming from a lower security interface to a higher, in this case the inside, you must configure ACL.

If you have NAT control configured you can configure an ACL that permits tcp/80 from the DMZ network to the translated address (X.X.139.171) then deny IP from the DMZ to any other port to this server global address a deny from the dmz to the local network (inside) and then a permit IP from the DMZ network to any, obviouly apply the ACL name or number to an access group applied to the DMZ interface.

Value our effort and rate the assistance!

bhuffstutler · ‎11-25-2013

The DNS rewrite did not work, but the additional static NAT statement did. Thank you.

Jouni Forss · ‎11-25-2013

Hi,

Glad to hear it worked out

I am not sure why the "dns" parameter didnt work. It should work for users behind other interfaces too even though the "static" command might refer to different interfaces.

- Jouni